RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

From: Beaty, Bryan (Bryan.Beaty_at_vector.com)
Date: 11/01/03

  • Next message: Geoincidents: "Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security"
    To: <full-disclosure@lists.netsys.com>
    Date: Fri, 31 Oct 2003 17:50:03 -0600
    
    

    Correct me if I am wrong but...

    I believe every worm listed below could have been prevented had everyone
    patched their systems.

    I would like the security community to take more responsibility for
    their own (in)actions. If you were hit by Blaster then you failed to
    enforce a good patch management policy. Who's fault is that? Patch
    management is boring and so we often ignore it. Hackers and worms simply
    take advantage of our laziness. I guess blaster could be a form of
    social engineering. "I know admins don't patch so I can write a worm and
    kill the world."

    There is no such thing as perfect code. If you want a completely secure
    system you can buy them but they are unbelievably expensive. If you have
    a business justification for something that secure then buy it.
    Otherwise you have to live with what you can get from Linux, UNIX, or
    even Microsoft.

    Microsoft has at least come out with some very good patch management
    systems lately (SUS) and they are free. Red Hat charges me a yearly fee
    for their RHN.

    I believe the #1 security threat today is poor patch management. Is that
    Microsoft's fault?

    --> I am off of my soap box now.

    Bryan Beaty

    -----Original Message-----
    From: Exibar [mailto:exibar@thelair.com]
    Sent: Friday, October 31, 2003 1:40 PM
    To: Jeremiah Cornelius; full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for
    good security

    What an idiot....

       Take the loveletter worm, when it was first released even if you had
    a 100% up to date AntiVirus software program, you would still get hit
    within
    the first 8 hours.... slammer, blaster, etc all the same thing. The
    took
    advantage of holes in the OPERATING SYSTEM!!!!

       Yes we have ways of updating our VirusSoftware that works very very
    well, McAfee has E-Policy Orchstrator, which I swear by.

      I'm not going to go on, but if Windows was as secure as Bill Gates and
    company says it is, why was blaster, slammer, codered etc even an issue?

       Exibar

    ----- Original Message -----
    From: "Jeremiah Cornelius" <jeremiah@nur.net>
    To: <full-disclosure@lists.netsys.com>
    Sent: Friday, October 31, 2003 1:32 PM
    Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
    security

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > FLAME ON!
    >
    > http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
    >
    > "But there are two other techniques: one is called firewalling and the
    other
    > is called keeping the software up to date. None of these problems
    > (viruses and worms) happened to people who did either one of those
    > things. If you
    had
    > your firewall set up the right way - and when I say firewall I include

    > scanning e-mail and scanning file transfer -- you wouldn't have had a
    > problem. But did we have the tools that made that easy and automatic
    > and
    that
    > you could really audit that you had done it? No. Microsoft in
    > particular
    and
    > the industry in general didn't have it."
    >
    > "The second is just the updating thing. Anybody who kept their
    > software up
    to
    > date didn't run into any of those problems, because the fixes preceded

    > the exploit. Now the times between when the vulnerability was
    > published and
    when
    > somebody has exploited it, those have been going down, but in every
    > case
    at
    > this stage we've had the fix out before the exploit. So next is making

    > it easy to do the updating, not for general features but just for the
    > very
    few
    > critical security things, and then reducing the size of those patches,

    > and reducing the frequency of the patches, which gets you back to the
    > code quality issues. We have to bring these things to bear, and the
    > very
    dramatic
    > things that we can do in the short term have to do with the firewalls
    > and
    the
    > updating infrastructure. "
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.3 (GNU/Linux)
    >
    > iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
    > SjPLY1EEzamQCtIGKwJT1Vk=
    > =mIsY
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Geoincidents: "Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security"

    Relevant Pages

    • RE: [Full-Disclosure] recent RPC/DCOM worm thought
      ... Think about the anti-virus companies and, well, every security software ... remediate X new variant of the worm. ... the attention of people to patch their systems, ... Full-Disclosure - We believe in it. ...
      (Full-Disclosure)
    • RE: [spam] RE: [Full-Disclosure] Gates: You dont need perfect code for good security
      ... Poor patch management is an issue yes, ... I believe every worm listed below could have been prevented had everyone ... I would like the security community to take more responsibility for ... There is no such thing as perfect code. ...
      (Full-Disclosure)
    • Re: help! "your system is shutting down"
      ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper ... What You Should Know About the Blaster Worm ...
      (microsoft.public.security.virus)
    • Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
      ... Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations ... set security acl ip WORM deny udp any eq 1434 any ...
      (Bugtraq)
    • CERT Advisory CA-2001-20
      ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ...
      (Cert)